this post was submitted on 16 Aug 2024
695 points (98.9% liked)

Technology

59559 readers
3454 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

archive

If you have the August 13, 2024—KB5041580 update. You're good.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 93 points 3 months ago (11 children)

As a networking nerd, I am endlessly frustrated with how many otherwise smart people are just 'fuck ipv6 lmao'

Giving me goddamn flashbacks to this https://www.youtube.com/watch?v=v26BAlfWBm8

[–] [email protected] 86 points 3 months ago
[–] [email protected] 45 points 3 months ago (3 children)

IPv6 genuinely made some really good decisions in its design, but I do question the default "no NAT, no private network prefixes" mentality since that's not going to work so well for average Janes and Joes

[–] [email protected] 55 points 3 months ago* (last edited 3 months ago) (1 children)

No NAT doesn't mean no firewall. It just means that you both don't have to deal with NAT fuckery or the various hacks meant to punch a hole through it.

Behind NAT, hosting multiple instances of some service that uses fixed port numbers requires a load-balancer or proxy that supports virtual hosts. Behind CGNAT, good luck hosting anything.

For "just works" peer to peer services like playing an online co-op game with a friend, users can't be expected to understand what port forwarding is, let alone how it works. So, we have UPnP for that... except, it doesn't work behind double NAT, and it's a gaping security hole because you can expose arbitrary ports of other devices if the router isn't set up to ignore those requests. Or, if that's not enough of a bad idea, we have clever abuse of IP packets to trick two routers into thinking they each initiated an outbound connection with the other.

[–] [email protected] 3 points 3 months ago (3 children)

can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?

[–] [email protected] 10 points 3 months ago* (last edited 3 months ago) (2 children)

IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.

A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.

Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you're concerned about. One option for ensuring a device can't just pick a different address and pretend to be a new device is by giving it a subset of the router's full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.

Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.

[–] [email protected] 6 points 3 months ago (4 children)

In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don't even think android will use it if present).

It doesn't allow firewall bypass though, as the other commenter noted.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (1 children)

DHCPv6 is very much in use with large ISPs. SLAAC only lets you get a single /64 (one network) from the ISP, but if you use DHCPv6, which is also provided ISP side, you can often request a /60 to get you 16 networks to use. Also, DHCPv6 doesn't base the IPv6 address off the MAC address like SLAAC does, so it is better for device privacy.

Why Android does not support DHCPv6 is beyond me. It's honestly quite ridiculous as it makes configuring LAN-side DNS and other things a lot easier.

[–] [email protected] 4 points 3 months ago

Dhcpv6-pd is used by isps for prefix delegation, which most routers support now (not so when my isp first started with it).

But for advertising prefixes on a lan most networks use router adverts.

They're different use cases though.

[–] [email protected] 2 points 3 months ago (1 children)

ok. thank you. stuff like this just made me wonder: https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/573_Configuring-IPv6-in-the-FRITZ-Box/

for linux etc they suggest du enable dhcpv6 and i cant figure out where they adress this in their firewalls. still learning.

[–] [email protected] 3 points 3 months ago (1 children)

Best thing to do to test the firewall is run some kind of server and try to connect to your ipv6 on that port.

Like I've said in other posts, routers really should block incoming connections by default. But it's not always the case that they do.

[–] [email protected] 1 points 3 months ago
[–] [email protected] 2 points 3 months ago (1 children)

Yeah, I butchered my answer by trying to simplify the process. I rewrote it in a hopefully more accurate but still simple to understand way.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (1 children)

Yep, it's all good. In my opinion, IPv6 routers should just be dropping incoming connections by default. If you want to run services you give your machine a static IPv6 and open ports on that IP/port specifically. It's actually easier than NAT because you don't need to translate ports and each IP can use the same ports (multiple web servers on 80/443).

I do agree that the average joe is going to expect NAT level security by default and that would provide that.

[–] [email protected] 3 points 3 months ago

I absolutely agree with you on all points here.

From a security perspective, allowing all incoming connections by default is unnecessarily exposing devices to a hostile environment. The average Joe isn't going to understand the risk unless somebody explained it as "it's like posting your home address on 4chan and hoping nobody manages to pick your front door lock," and they're likely never going to take advantage of the benefits that come from having their device be globally reachable.

Another benefit to not having to deal with NAT is that you can actually host services using the same protocol (e.g. HTTP) on multiple machines without having to resort to alternate port numbers or using a proxy with virtual host support.

[–] [email protected] 2 points 3 months ago (2 children)

Unless you run DHCPv6 (which really no-one does in reality)

Question for you since I have very little real world IPv6 experience: generally you can provide a lot of useful network information to clients via DHCP, such as the DNS server, autoconfig info for IP phones, etc. how does a network operator ensure that clients get this information if it's not using DHCPv6?

[–] [email protected] 2 points 3 months ago (4 children)

You can include some information in router advertisements, likely there will be rfcs for more. Not sure of the full list of stuff you can advertise.

For sure I'm quite sure I had dns servers configured this way. I'll check when not on a phone to see what options there are.

load more comments (4 replies)
[–] [email protected] 1 points 3 months ago

DHCPv6 is very definitely used with ipv6 and isps, as DHCPv6-PD is needed anyway to send prefix allocations to the router

DHCPv6 does the same thing DHCP does, just for v6 addresses. This includes pushing domain suffix and dns servers.

There is also Router Advertisement, which tells the discovering client that it is a router, what the prefix is, if there is a DHCPv6 server, and what the DNS is. As an alternative to DHCPv6, the client can set their own address based on the combination of the prefix and their MAC address, the SLAAC address. The way IPv6 routing tables are built, the router can always find a route by asking upstream on the address, and upstream only has to forward downstream on an address.

[–] [email protected] 2 points 3 months ago
[–] [email protected] 5 points 3 months ago (1 children)

How would that bypass the firewall?

[–] [email protected] 3 points 3 months ago (1 children)

Honestly, I think most fear of IPv6 is just borne out of ignorance and assigning their understanding of IPv4 onto IPv6 and making assumptions.

[–] [email protected] 5 points 3 months ago (1 children)

assigning their understanding of IPv4 onto IPv6 and making assumptions.

This is also what makes it more difficult to learn, unfortunately.

[–] [email protected] 1 points 3 months ago

That's true. But there are not many differences. It's just, the differences there are, are crucial to understanding it.

[–] [email protected] 3 points 3 months ago (1 children)

Not if your firewall router is setup right (strict mac address filtering)

[–] [email protected] 1 points 3 months ago (1 children)

so back to the beginning of this thread: ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers? and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses that would overcome lazy output fw rules?

thanks for all the explaining here so far!

or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that'd be cool, but i dont understand how.

[–] [email protected] 4 points 3 months ago (1 children)

ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers?

no

and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses

yes and this is not "escalating their permissions", it is in fact the expected behavior with Privacy Extensions (RFC 4941) where devices will probably have multiple addresses at the same time that are used for outgoing connections

that would overcome lazy output fw rules?

any router that doesn't have deny as the default rule for WAN->LAN traffic (probably not many) is trash, and if you're filtering LAN->WAN traffic (not really usual for a home network) then you want default deny there too, but at that point that is not an ipv6 problem

or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

rogue dhcp is not an ipv6 exclusive problem

so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

yes, firewall rules can work based on mac addresses, not sure exactly what you mean

load more comments (1 replies)
[–] [email protected] 15 points 3 months ago (1 children)

Routers simply need to block incoming unestablished packets (all modern routers allow for this) to replicate NAT security without NAT translation. Then you just punch holes through on IP addresses and ports you want to run services on and be done with it.

Now, some home routers aren't doing this by default, but they absolutely should be. That's just router software designers being bad, not IPv6's fault, and would get ironed out pretty quick if there was mass adoption and IPv4 became the secondary system.

To be clear, this is not a reason not to be adopting IPv6.

[–] [email protected] 2 points 3 months ago (1 children)

Routers simply need to block incoming unestablished packets

This is called a firewall

load more comments (1 replies)
[–] [email protected] 5 points 3 months ago* (last edited 3 months ago) (2 children)

Why would you think it wouldn’t work for the average Jane and Joe?

[–] [email protected] 6 points 3 months ago (1 children)

Not the person you were replying too, but I was there when we had modems and raw-dogged the internet.

The average person clicks "Yes" on everything without reading it, has no idea what a firewall is, and they never update anything unless it does it without asking.

Having things accessible from outside your network is great if you're a network nerd and that's what you want, but most people are going to be in a world of unprotected shit. Especially in a world of pointlessly online devices. I don't trust any of those fuckers to have their shit in order.

[–] [email protected] 4 points 3 months ago (1 children)

I would assume/hope the default setting for a consumer router would still be to drop incoming connections. That should suffice for the average person as long as ISPs don't make it easy to disable that without actually understanding what the consequences are.

[–] [email protected] 3 points 3 months ago (1 children)

I would also assume that to be the default, but unfortunately the first Google search for "why doesn't my smart fridge work from my phone when I leave the house" will be a set of instructions for turning that feature off.

NATs and port forwarding is annoying, but it's also very manual, and only lets you fuck up one device at a time.

[–] [email protected] 3 points 3 months ago (1 children)

Then the instructions are bad. They should be how to open the firewall port for that device, which is almost the same as setting a NAT port forward, with the same limitation of only exposing one device.

[–] [email protected] 2 points 3 months ago (1 children)

Yeah, but that's going to involve knowing what the device is called on the router, or knowing what the address is.

I'm afraid the great age of computer literacy has come and gone.

If anything it makes me want routers to not even allow a blanket whitelist for all devices...

[–] [email protected] 2 points 3 months ago

If anything it makes me want routers to not even allow a blanket whitelist for all devices...

I would be fine with this. Make it as annoying as possible so people don't blindly follow a guide to disable the firewall.

  • Remove firewall disable option, and only allow it to happen by DMZ or bridging to another router that would have it.

  • Require calling in to an ISP help desk, where they ask why you want to do that, and explain in no uncertain terms that you're probably going to open a portal to hell or summon cthulhu. If you still want to, you have to read them out the device serial number, read out a unique code in the router admin interface, and wait a week for the option to become available.

[–] [email protected] 4 points 3 months ago (1 children)

Honestly the more I think about it the more I realize I'm wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4

[–] [email protected] 5 points 3 months ago* (last edited 3 months ago)

Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.

Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you've technically exposed your laptop. It’s not quite that simple but that’s the essence of it.

But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.

[–] [email protected] 40 points 3 months ago* (last edited 3 months ago) (2 children)

As a tech nerd who self hosts stuff, I'm more like "what is IPV6 and why is it causing me issues, I can't figure this out, I guess I'll disable it, wow my problems are fixed now."

I guess I can see why people don't like it, as it's caused me issues, but just because I don't understand it doesn't mean it's dumb. I'd need to understand how it works before I could say anything about it, positive or negative. I guess all I could say is that it's been way less intuitive to me, I can't memorize the numbers, and the reason it exists makes sense. Beyond that, I unno.

I should probably spend the time to learn about it, but I already have a full time job where I work on computers all day, I'd rather focus on my other hobbies while I'm at home.

[–] [email protected] 11 points 3 months ago (1 children)

It's not terribly difficult to learn when you avoid trying to relate it to IPv4 concepts. Particularly: forget about LAN addresses and NAT, and instead think about a large block of public addresses being subdivided between local devices.

[–] [email protected] 8 points 3 months ago (1 children)

instead think about a large block of public addresses being subdivided between local devices.

Thinking about all my devices being exposed like that gives me the heebie jeebies. One public facing address hiding everything else on a private network is much less frightening to my monkey brain.

[–] [email protected] 9 points 3 months ago

This is what a firewall is for. Blocks inbound to the whole subnet space. Better than a NAT, which can open a port through STUN or simply a malformed packet.

[–] [email protected] 3 points 3 months ago

Back in the days I had an ISP that offered me IPv6 network, it was really easy to self host things over the internet, because IPv6 is unique to all devices, so the server had its own IPv6 global address, which I could access from anywhere with IPv6 connectivity. No more dealing with port forwarding (considering that the ISP didn't block the forwarding of ports). Just a firewall setting and voila, the service was accessible. It's that simple.

load more comments (8 replies)